MTA
Comprehensive compliance checklist for Digital Personal Data Protection Act 2023 implementation. Covers all Data Fiduciary obligations, consent management, breach notification procedures, and May 2027 enforcement readiness timeline.
Last updated: April 2026
The Digital Personal Data Protection Act, 2023 with Rules 2025 (notified November 13, 2025) govern all digital personal data processing in India. Full enforcement begins May 13, 2027 (18 months from notification). Data Protection Board of India is operational. Consent Manager framework activates November 13, 2026. MTA qualifies as Data Fiduciary (determines purpose and means of processing).
Data Principal: Individual whose data is processed (gym members, website visitors, FitNexora users). Data Fiduciary: Entity determining purpose/means (MTA). Data Processor: Entity processing on behalf of fiduciary (Supabase, AI tools). Personal Data: Any data about identifiable individual (name, email, phone, health data, IP, behavioral data). Processing: Collection, storage, use, sharing—wholly or partly automated.
ACCOUNTABILITY: MTA responsible for all processing including by processors (Predis.ai, Buffer leaks = MTA liability). PROCESSOR CONTRACTS: Valid DPAs required with Supabase, Razorpay, Canva, AI tools. ACCURACY: Ensure data accurate/complete for decisions (FitNexora records, appointments). TECHNICAL MEASURES: Policies, access controls, staff training. SECURITY SAFEGUARDS: Encryption, RLS, access logs. BREACH NOTIFICATION: Notify Board + principals "without undue delay" (72 hours). ERASURE: Delete when consent withdrawn or purpose served. CONTACT PERSON: Publish business contact. GRIEVANCE MECHANISM: Effective redressal system on website and contracts.
Consent must be: FREE, SPECIFIC, INFORMED, UNCONDITIONAL, UNAMBIGUOUS + clear affirmative action (checkbox, NOT pre-ticked). Notice required before/with consent: Plain language explaining (1) data collected, (2) purpose, (3) how to exercise rights, (4) how to complain to Board. Available in English or 22 scheduled languages. Withdrawal must be as easy as giving consent. No bundling unrelated consents. Children (<18): Verifiable parental consent + no tracking/targeted ads.
RIGHT TO ACCESS: Summary of data processed + sharing details (respond within prescribed period, likely 30 days). RIGHT TO CORRECTION: Update, complete, or correct data (without undue delay). RIGHT TO ERASURE: Delete data unless legal retention required. RIGHT TO GRIEVANCE: Effective redressal within prescribed timeline. RIGHT TO NOMINATION: Post-death/incapacity data management. Agencies must provide mechanisms and respond timely with documentation.
DETECTION (T+0): Identify breach, contain if possible, document facts. INTERNAL ASSESSMENT (T+24h): Determine scope, affected data, impact assessment. DATA PRINCIPAL NOTICE ("without undue delay"): Plain language explaining breach, impact, and rights. DPB DETAILED REPORT (T+72h): Comprehensive report with facts, extent, impact, mitigation, remediation steps. ONGOING UPDATES: Update Board and principals as investigation progresses.
Failure to prevent breach (security safeguards): ₹250 crore maximum. Failure to notify breach: ₹200 crore maximum. Children data violations: ₹200 crore maximum. Other obligation failures: ₹50 crore maximum. General non-compliance: ₹10,000 per instance. Average breach cost in India (2026): ₹22 crore including legal, remediation, lost business.
1. Update Privacy Policy: Add DPDP notice template, grievance process, processor list. 2. Client Contracts/SOWs: Insert consent clause + data processing addendum. 3. FitNexora App: Supabase RLS + explicit consent flows on signup. 4. SMM Workflows: Document consent for audience data; add AI-assisted labels; never use client personal data in prompts without permission. 5. Processor Agreements: Review Supabase, Razorpay, AI tools for DPDP-compliant DPAs. 6. Internal: Appoint grievance handler; keep 2-year audit trail of consents. 7. Website: Clear privacy notice + consent banner. 8. Breach Response Plan: 1-page playbook (notify → contain → report in 72h).
DPDP CONSENT CLAUSE: "Client confirms explicit consent has been obtained from all data subjects whose personal data is provided to MTA for processing. Client remains the Data Fiduciary and MTA acts as Data Processor." BREACH NOTIFICATION CLAUSE: "MTA will notify Client within 24 hours of detecting any personal data breach. Client is responsible for notifying the Data Protection Board within 72 hours per DPDP Act 2023." AI PROCESSING CLAUSE: "MTA uses AI tools for service delivery. No client personal data will be used for AI model training without separate written consent."
NOW (April 2026): Audit current practices, update Privacy Policy, review processor agreements, implement consent mechanisms. BY NOVEMBER 2026: Consent Manager framework activation—ensure all consent flows compliant. BY MAY 2027: Full enforcement begins—all obligations must be operational, breach response tested, audit trails in place, grievance mechanism functional.